DevSecOps Git-Secrets AWS

Git secrets for AWS

DevSecOps is the term being passed around recently. Instead of talking about what it is, I wanted to provide an action item that would be quick and easy to implement into your environment. This method will scan git repositories for AWS keys before making them public.

What is git secrets?

Git-Secrets has the ability to scan commits to prevent confidential keys from being shared publicly. Git-Secrets can work as a middle man to approve or deny the commit depending on the findings of the scan.

Main repository can be found here: https://github.com/awslabs/git-secrets

CentOS7/RHEL/Fedora

Lets start by installing the git package with:

[trenchesofit@localhost /]$ sudo yum install git -y

Then we will clone the get-secrets repository with:

[trenchesofit@localhost ~]$ git clone https://github.com/awslabs/git-secrets.git

Navigate to /git-secrets directory

[trenchesofit@localhost ~]$ cd git-secrets

Install git-secrets:

[trenchesofit@localhost git-secrets]$ sudo make install

I posted a test file to ensure the hooks for AWS installed correctly:

[trenchesofit@localhost ~]$ git clone https://github.com/trenchesofit/git-secret-test.git

Add AWS rules for auditing Secret Keys:

[trenchesofit@localhost git-secrets]$ git secrets --register-aws
  • AWS Access Key IDs via (A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}
  • AWS Secret Access Key assignments via “:” or “=” surrounded by optional quotes
  • AWS account ID assignments via “:” or “=” surrounded by optional quotes
  • Allowed patterns for example AWS keys (AKIAIOSFODNN7EXAMPLE and wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY)
  • Known credentials from ~/.aws/credentials

Change directory to git-secrets and run scan:

[trenchesofit@localhost git-secret-test]$ git secrets --scan
test.py:3:Access Key = AKIAICKMZTVXEHBPKCYA
test.py:5:Secret Key = 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

[ERROR] Matched one or more prohibited patterns

Possible mitigations:
- Mark false positives as allowed using: git config --add secrets.allowed ...
- Mark false positives as allowed by adding regular expressions to .gitallowed at repository's root directory
- List your configured patterns: git config --get-all secrets.patterns
- List your configured allowed patterns: git config --get-all secrets.allowed
- List your configured allowed patterns in .gitallowed at repository's root directory
- Use --no-verify if this is a one-time false positive

–scan will scan the entire directory for matches. You can see in the output git secrets found an access key and secret key in the file test.py.

What Next:

This tool is simple to use and allows your team to automate security into the commit process your devs use daily.

Keep an eye on those Devs, and until next time…….

Stay safe in the Trenches of IT!

Leave a Reply